U.S.-China Cybersecurity Agreement: What's Next?
'Trust but Verify' Is Mantra Chanted by National Intelligence Director James ClapperEven if China fails to live up to its promise to stop pilfering corporate trade secrets, the U.S. could benefit diplomatically from the two nations' cybersecurity agreement (see U.S., China Reach Cyber Agreement).
See Also: Gartner Market Guide for DFIR Retainer Services
"If this agreement does fall apart - and chances are it won't hold for long, if at all, the U.S. will be in a much stronger position to respond to Beijing over its commercial espionage," Jason Healey, senior scholar at Columbia research University's School of International and Public Affairs, writes in an article posted on the Christian Science Monitor website.
With China President Xi Jinping's pledge not to pilfer corporate trade secrets online, the United States could take the moral high ground in regards to commercial e-spying should the Chinese renege on the agreement.
The cybersecurity agreement reached at last week's White House summit between presidents Obama and Xi goes beyond the rejection of cybertheft of intellectual property. Both sides pledged to identify "appropriate norms of state behavior in cyberspace" as well as cooperate in investigating cybercrimes.
The accord comes in the wake of several high-profile cyberattacks in recent months on U.S. government agencies, including the Office of Personnel Management as well as U.S. health insurers, including Anthem Inc. Some security experts - including James Clapper, America's director of national intelligence - say China has been involved in these attacks.
U.S. Spy Chief Expresses Skepticism
Clapper says he doubts the Chinese will change their ways. Asked by Chairman John McCain, R-Ariz., at a Senate Armed Services Committee hearing on Sept. 29 whether he was optimistic the new cybesecurity agreement would reduce Chinese hacking, Clapper responded, "No."
"There's a question about the extent to which the [Chinese] government orchestrates all of it or not, so I think we're in, to borrow a President Reagan term, a "trust-but-verify mode," at least as far as intelligence is concerned, and we are inherently skeptics," Clapper said.
The national security director's skepticism could, in part, be based on the different ways each nation interprets the agreement (see Cyber Lexicon: U.S., China Speak Different Languages). "Although not a legal document, the agreement might well be 'lawyered' by both sides to suit their interests, raising questions whether the two governments are reading the same words," David Fidler, adjunct senior fellow for cybersecurity at the Council on Foreign Relations, writes in a blog.
Martin Libicki, a senior management scientist at the think tank The Rand Corp., says there's little to prevent the Chinese from "reverting to old habits ... until they promise to accept something - be it some standard of proof, third-party evaluation, etc. - as a valid indicator of attribution."
Such interpretations demonstrate the weaknesses in the agreement. "No one says that compromising other people's computers is acceptable practice; thus, no one has to make a dramatic reversal of their own stated policies to accede to the Xi-Obama norms," says Libicki, who researches the impact of information technology on national security. "But, unless others legitimize some process of attribution, what's been accomplished?"
Sharing Methods
Achieving an agreeable process of attribution could prove challenging for the United States. Libicki points out the U.S. intelligence community doesn't like to share its methods to attribute attacks, "even if not sharing makes it easier for the Chinese to blandly deny everything."
Among the ways to get the Chinese to stop stealing industrial intellectual property is to shame them. Shaming might have gotten Xi to agree to Obama's insistence to halt the theft by the Chinese of corporate IP. Last year, the United States government indicted five members of the Chinese People's Liberation Army for hacking into the corporate servers of American manufacturers, stealing corporate secrets (see The Real Aim of U.S. Indictment of Chinese).
But a Chinese policy expert suggests shaming could be avoided if Xi proves to be a man of his word.
"If President Xi has personally made a promise that the nation would not do that [steal intellectual property], then there will be an incentive to at least restrict the amount of agencies and actors that are allowed to do that within China so they can keep better track of those activities," Melanie Hart, director of China policy at the Center for American Progress, told a Senate Foreign Affairs Committee subcommittee earlier this week. "We'll have to monitor those issues going forward to see if we have had progress, to see if our verbal progress turns into progress on action."
Indeed, Healey references a famous American aphorism: "China might have had Confucius, but the United States had Yogi Berra. And it ain't over until it's over."